PT-2022-4036 · Hashicorp+1 · Jenkins Hashicorp Vault Plugin+1

Kevin Guerroudj

Published

2022-07-27

Updated

2023-11-22

CVE-2022-36888

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins HashiCorp Vault Plugin versions 354.vdb 858fd6b f48 and earlier

Description The issue is related to a missing permission check in the Jenkins HashiCorp Vault Plugin, which can be exploited by attackers with Overall/Read permission to obtain credentials stored in Vault. This can allow a remote attacker to gain unauthorized access to protected information by specifying the path and keys.

Recommendations For Jenkins HashiCorp Vault Plugin versions 354.vdb 858fd6b f48 and earlier, consider restricting access to the plugin until a patch is available, or limit the Overall/Read permission to minimize the risk of exploitation.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BDU:2022-04869

CVE-2022-36888

GHSA-VPF7-Q2RX-26MH

Affected Products

Jenkins

Jenkins Hashicorp Vault Plugin

PT-2022-4036 · Hashicorp+1 · Jenkins Hashicorp Vault Plugin+1

CVE-2022-36888

Weakness Enumeration

Related Identifiers

Affected Products

References · 9